patched the XSS scanner, should work better now

This commit is contained in:
ekultek 2017-09-27 10:35:39 -05:00
parent 4ba8a8a0f4
commit 166e918223
4 changed files with 41 additions and 42 deletions

View file

@ -10,7 +10,8 @@ from lib.settings import (
set_color,
DEFAULT_USER_AGENT,
proxy_string_to_dict,
DBMS_ERRORS
DBMS_ERRORS,
create_tree,
)
@ -28,9 +29,12 @@ def create_urls(url, payload_list):
return tf_name
def find_xss_script(url, query=4):
def find_xss_script(url, query=4, fragment=5):
data = urlparse.urlparse(url)
return data[query]
if data[fragment] is not "" or None:
return "{}{}".format(data[query], data[fragment])
else:
return data[query]
def scan_xss(url, agent=None, proxy=None):
@ -51,7 +55,7 @@ def scan_xss(url, agent=None, proxy=None):
return False
def main_xss(start_url, verbose=False, proxy=None, agent=DEFAULT_USER_AGENT, try_all=False):
def main_xss(start_url, verbose=False, proxy=None, agent=None):
find_xss_script(start_url)
logger.info(set_color(
"loading payloads..."
@ -67,31 +71,30 @@ def main_xss(start_url, verbose=False, proxy=None, agent=DEFAULT_USER_AGENT, try
filename = create_urls(start_url, payloads)
if verbose:
logger.debug(set_color(
"loaded URL's have been saved to '{}'...".format(filename)
"loaded URL's have been saved to '{}'...".format(filename), level=10
))
logger.info(set_color(
"testing for XSS vulnerabilities on host '{}'...".format(start_url)
))
logger.info(set_color(
"adjusting user agent to '{}'...".format(agent)
))
if proxy is not None:
logger.info(set_color(
"using proxy '{}'...".format(proxy)
))
success = set()
with open(filename) as urls:
for url in urls:
for url in urls.readlines():
url = url.strip()
result = scan_xss(url, proxy=proxy, agent=agent)
payload = find_xss_script(url)
logger.info(set_color(
"trying payload '{}'...".format(payload)
))
if result:
logger.info(set_color(
"host '{}' appears to be vulnerable to XSS attacks using payload '{}'...".format(
start_url, payload
)
))
if not try_all:
return
success.add(url)
if verbose:
logger.debug(set_color(
"payload '{}' appears to be usable...".format(payload), level=10
))
elif result is "sqli":
logger.error(set_color(
"loaded URL '{}' threw a DBMS error and appears to be SQLi vulnerable, test for SQL injection".format(
@ -104,4 +107,5 @@ def main_xss(start_url, verbose=False, proxy=None, agent=DEFAULT_USER_AGENT, try
"host '{}' does not appear to be vulnerable to XSS attacks with payload '{}'...".format(
start_url, payload
), level=10
))
))
create_tree(start_url, list(success))

View file

@ -22,7 +22,7 @@ except NameError:
# clone link
CLONE = "https://github.com/ekultek/zeus-scanner.git"
# current version <major.minor.commit.patch ID>
VERSION = "1.0.18.7db8"
VERSION = "1.0.18.7124"
# colors to output depending on the version
VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30}
# version string formatting
@ -380,14 +380,4 @@ def create_tree(start, conns, down="|", over="-", sep="-" * 40):
down, over, con
)
)
print(sep)
def add_https(url):
"""
add https:// to a url
"""
if "https://" in url:
return url
else:
return "https://{}".format(url.split("://")[-1])
print(sep)

View file

@ -18,7 +18,6 @@ from lib.settings import (
URL_REGEX,
shutdown,
create_dir,
add_https
)
@ -26,23 +25,30 @@ def bypass_ip_block(url, content_sep=("continue=", "Fid", "%")):
"""
bypass Google's IP blocking by extracting the true URL from the ban URL.
"""
def __add_https(data):
if "https://" in data:
return data
else:
return "https://{}".format(url.split("://")[-1])
if isinstance(url, unicode):
url = str(url)
index_list = []
index_list_2 = []
content_list_start = []
content_list_end = []
if content_sep[0] in url:
data_list = url.split(content_sep[0])
url_to_use = data_list[1]
else:
url_to_use = url
for m in re.finditer(content_sep[1], url_to_use):
index_list.append((m.start(), m.end()))
splice_to_use = index_list[-1][-1]
for match in re.finditer(content_sep[1], url_to_use):
content_list_start.append((match.start(), match.end()))
splice_to_use = content_list_start[-1][-1]
for m2 in re.finditer(content_sep[2], url[0:splice_to_use]):
index_list_2.append((m2.start(), m2.end()))
return add_https(url[0:index_list_2[-1][-1] - 1])
for match in re.finditer(content_sep[2], url[0:splice_to_use]):
content_list_end.append((match.start(), match.end()))
return __add_https(url[0:content_list_end[-1][-1] - 1])
def get_urls(query, url, verbose=False, warning=True, user_agent=None, proxy=None, **kwargs):
@ -118,7 +124,8 @@ def get_urls(query, url, verbose=False, warning=True, user_agent=None, proxy=Non
"obtaining URL from selenium..."
))
retval = browser.current_url
if "http://ipv6.google.com" or "http://ipv4.google.com" in retval:
ban_url_schema = ["http://ipv6.google.com", "http://ipv4.google.com"]
if any(u in retval for u in ban_url_schema): # if you got IP banned
logger.warning(set_color(
"it appears that Google is attempting to block your IP address, attempting bypass...", level=30
))

View file

@ -93,8 +93,6 @@ if __name__ == "__main__":
help="Show the arguments that nmap understands")
attacks.add_option("-P", "--show-possibles", dest="showAllConnections", action="store_true",
help="Show all connections made during the admin panel search")
attacks.add_option("--run-all", dest="runAllXssPayloads", action="store_true",
help="Run every loaded XSS payload")
# search engine options
engines = optparse.OptionGroup(parser, "Search engine arguments",
@ -363,7 +361,7 @@ if __name__ == "__main__":
elif admin:
main(url, show=opt.showAllConnections, verbose=verbose)
elif xss:
main_xss(url, verbose=verbose, proxy=proxy_to_use, agent=agent_to_use, try_all=opt.runAllXssPayloads)
main_xss(url, verbose=verbose, proxy=proxy_to_use, agent=agent_to_use)
else:
pass
else: